Behavioral Blocking: An effective means of stopping 0-day

Behavioral blocking (a.k.a kernel rules / system rules) can provide the first layer of defense against emerging threats exploiting 0-day vulnerabilities. Exploits commonly take advantage of mistakes made by programmers and thus good applications can turn bad in an instant.

All in all a bit of clever social engineering can result in successful exploitation, thus, resulting in confidential information being stolen from a user’s system.

An effective use of behavioral blocking can mitigate the risks of a 0-day threat. This works by monitoring the behavior of applications and applying such rules as: “Adobe Acrobat shouldn’t spawn a command shell“, or “Internet Explorer should not inject threads into other processes.”

This way one can proactively block new exploits (including the one for MS Access) without the actual need to analyze the threat and produce detection for it. However; it is still crucial that other protection layers exist (behavioral analysis, system hardening, IPS firewall, etc) as behavioral blocking alone is not 100%.